Massachusetts State Privacy Law to effect hundreds of Oracle
databases

Oracle Database Tips by Donald BurlesonApril 29, 2015

Massachusetts has enacted a new data privacy law with sweeping
implications for Oracle databases all across America.

Massachusetts data security law, (201 CMR 17.00) is a powerful
new
data privacy law, which says that any database, anywhere
on the planet that contains personally information about a resident
of Massachusetts must be encrypted, else face a $50,000 fine!

"Companies must file their WISPs with the state
[of Massachusetts] to show that they have data security programs in
place and confirm that they're compliant.

That's critical, because there's no other
auditing or oversight mechanism."

Note that this new law should not be a problem for Oracle shops
that follow Oracle best practices and encrypt confidential customer
information, they only need to file the WISP with the state of
Massachusetts. This law is also similar to many existing
state laws that require Oracle DBA's to perform due diligence and
encrypt
sensitive information, and most Oracle shops have done this
years ago.

This new data privacy law has wide reach, and it applies to any
database, anywhere on the planet that stores personally identifiable
information about a Massachusetts resident. The law requires
all Oracle database that contain personally identifiable information
to:

Have an active security program: You
must attest that they have a working data security program in
place to protect any personally identifiable information (PII)
they've collected from state residents. This personally
identifiable information includes data that is unique to you
alone, things such as your home address, social security
numbers, drivers license numbers and financial account
information. It DOES NOT include information that does not
specifically identify you, data like your eye color, a list of
your favorite movies, your salary, or your occupation.

Publish a written security policy:
You must maintain a comprehensive written information security
program (WISP) that includes "technical, administrative, and
physical safeguards" to protect PII. Here is an
example WISP.

Encrypt confidential data: You must
maintain data encryption on all data, including data in Oracle
databases, spreadsheets, laptops and portable data management
devices like iPhones, MP3 players and even USB drives.

This law attempt to protect Massachusetts residents from
inadvertent disclosure of confidential personal information, and it
overlaps with several existing Federal data centric mandates such as
HIPAA, SOX and GLB.

This new State law comes with teeth, stiff fines for failure to
comply with fines of $5,000 per violation, $50,000 per instance and
$100 per resident affected.

States rights to impose their laws upon foreign
jurisdictions

This is not the first time that a sovereign jurisdiction has
attempted to regulate the entire world, and other attempts to
regulate the internet have met with failure.

The
dormant commerce clause (Article 1, Section 8, Clause 3 of
United States Constitution)
prohibits states from interfering with interstate commerce and
gives Congress the exclusive power "to regulate commerce with
foreign nations, and among the several states".

Hence, we see these notable failures among States and countries
who have tried to regulate eCommerce:

North Carolina - The
North Carolina Auctioneering Licensing
Board issued a ruling that anyone, anywhere who sells good to a
North Carolina resident via an online auction must possess a
valid North Carolina auctioneers license.
eBay successfully fought this law.

The fines in a typical Oracle database could reach millions of
dollars, a potential boom as cash-strapped Massachusetts (often
mocked as "Taxachusetts") tries to full their coffers from fining
Oracle database owners.

The ramifications of this law are unclear as are enforceability
issues across jurisdictions will surely be challenged in court.
However, it is clear that Oracle DBA's have a clear mandate to
protect the privacy of confidential personal information.

Note:This Oracle
documentation was created as a support and Oracle training reference for use by our
DBA performance tuning consulting professionals.
Feel free to ask questions on our
Oracle forum.

Verify
experience!Anyone
considering using the services of an Oracle support expert should
independently investigate their credentials and experience, and not rely on
advertisements and self-proclaimed expertise. All legitimate Oracle experts
publish
their Oracle
qualifications.

Errata? Oracle technology is changing and we
strive to update our BC Oracle support information. If you find an error
or have a suggestion for improving our content, we would appreciate your
feedback. Just e-mail:
and include the URL for the page.